service account does not have storage.objects.get access for Google Cloud Storage
Solution 1
The problem was apparently that the service account was associated with too many roles, perhaps as a results of previous configuration attempts.
These steps resolved the issue:
- removed all (three) roles for the offending service account (member)
my_sa
underIAM & Admin
/IAM
- deleted
my_sa
underIAM & Admin
/Service accounts
- recreated
my_sa
(again with roleStorage
/Storage Admin
)
Effects are like this:
my_sa
shows up with one role (Storage Admin
) underIAM & Admin
/IAM
my_sa
shows up as member underStorage
/Browser
/my_bucket
/Edit bucket permissions
Solution 2
It's worth to note, that you need to wait a minute or something for permissions to be working in case you just assigned them. At least that's what happened to me after:
gcloud projects add-iam-policy-binding xxx --member
"serviceAccount:[email protected]" --role "roles/storage.objectViewer"
Solution 3
Go to your bucket's permissions section and open add permissions section for your bucket. For example, insufficient service, which gcloud tells you, is;
[email protected]
Add this service as user then give these roles;
- Cloud Storage - Storage Admin
- Cloud Storage - Storage Object Admin
- Cloud Storage - Storage Object Creator
Then you should have sufficient permissions to make changes on your bucket.
Drux
Updated on July 09, 2022Comments
-
Drux almost 2 years
I have created a service account in Google Cloud Console and selected role
Storage
/Storage Admin
(i.e. full control of GCS resources).gcloud projects get-iam-policy my_project
seems to indicate that the role was actually selected:- members: - serviceAccount:my_sa@my_project.iam.gserviceaccount.com role: roles/storage.admin - members: - serviceAccount:my_sa@my_project.iam.gserviceaccount.com role: roles/storage.objectAdmin - members: - serviceAccount:my_sa@my_project.iam.gserviceaccount.com role: roles/storage.objectCreator
And documentation clearly indicates that role
roles/storage.admin
comprises permissionsstorage.objects.*
(as well asstorage.buckets.*
).But when I try using that service account in conjunction with the Google Cloud Storage Client Library for Python, I receive this error message:
my_sa@my_project.iam.gserviceaccount.com does not have storage.objects.get access to my_project/my_bucket.
So why would the selected role not be sufficient in this context?